Inspired by the CQURE 5 day challenge I’ve decided to document some of the things that I’ve learned from the daily assesments. 🙂
Table of Content
- Analyze a Windows Service
- Auditing permissions
- About handles and the SAM file
- Password Hashes
- Memory Dump
When we want to understand the permissions of windows services or specially have to deal with a service that we can’t manage as a local Windows Administrator we get in touch with a strange term called „SDDL“. It stands for Security Descriptor Definition language and is a form of text strings that contains security informations for one or more object.
Let’s play with a prepared service that we can start, but not stop as a local windows Administrator. To install the service simply use the parameter /install.
First let’s see if we can stop this service when we start another cmd with localsystem permission. I do this with help of PsExec, one of the sysinternals process utilities.
PsExec.exe -s -i -d cmd.exe
And now let’s see if we can stop our particalar service. Seems that we still have no luck 🙁
What we can do next is to check the SDDL of the service. We can do this by typing:
sc sdshow stopme
sc sdshow stopme >stopme.txt
A possible SDDL String can look like this:
(D;; --> Stands for Deny
(A;; --> Stands for Allow
(A;;RPWP;;;SID) --> Allow Start/Stop Service / specific SID
;;;AU --> Authenticated Users
;;;BA --> BuiltinAdmins
;;;SY --> System
With the command sc sdset we can overrite permissions, but if I have a closer look now on the SSDL of that service I took notice that BA and SY have allready permission to stop that service!
Let’s do a sc sdquery to check how that service is configured
sc query stopme
(NOT_STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
Seems that I was on the wrong path and this Service is not stopable because of a permission thing, it’s by design!
Set start mode of service to disabled
sc config stopme start= disabled
Let’s check which task is involved by this service
sc qc stopme
Let’s kill that particular task
taskkill /f /IM "stopmeifyoucan.exe"
Uninstall the service
What did we learn so far?
With help of the psexec.exe command line utility it’s possible to get a cmd with localsystem privileges. In some cases it’s possible to start/stop a service where the local admin group is not allowed to do. With help of the command sc sdshow „servicename“, we get the SDDL of the service. It can be helpful to write the output of the command to a textfile. If the problem is based on a permission issue we can change the SDDL of the service by using the command sc sdset „Servicename“ „SDDL Value“. To get further informations about how the service is configured we can use the sc query „Servicename“ command. To get the binary path of a service we can use the command sc qc „Servicename“. Last but not least we can set the startmode of the service to disabled by using the command sc config „servicename“ startmode = disabled and trying to kill the involed task by using the command taskkill /f /IM „task.exe“
Some repeating questions of that exercise:
Which command may be used to change permissions of Service?
How can we specify service permissions to be used with sc.exe sdset command?
How can you specify an AD Group to include it in SDDL?
How localsystem is presented in SDDL?
Which Account should be used if you’re local administrator on your workstation and you have no permission to change service parameters